Standard deviation calculation is biased

Malicious peer can cause a syncing node to panic during blocksync

Replayable signatures allowing free deploys when they should not be free

Overdue balances cannot be paid back

Downcast in UToken.borrow allowing borrows that should not be allowed

Comptroller.withdrawRewards: totalFrozen subtracted two times from totalStaked

AssetManager.removeAdapter: Adapter not removed from withdrawSeq

UserManager.cancelVouch not updating voucherIndexes / voucheeIndexes

setCurvePoint: unit not updated when curve.length changes

Deployment can be bricked by manually transferring small LINK amount before first deposit

TrueFiStrategy: Too little withdrawn when used with AlphaBetaSplitter

Funds are locked up for fee-on-transfer

Withdrawing payments may fail

Overflow possible in logIncomingERC20

ExchangeRate age not checked

LEther: Flash loan can be used to manipulate borrow rate

ChainlinkOracle: Assumes all feeds have 8 decimals

ERC4626Oracle: Assumes that asset and share have same number of decimals

UniV2LPOracle: Decimals of pair tokens ignored

StableBalancerLPOracle: Wrong calculation

BalancerController: Can be misused to get non-approved tokens into the account

AccountManager: Liquidations not possible when transfer fails

AccountManager: address(0) used for borrowing ETH

AccountManager: Fee-On-Transfer tokens not supported